Exposure · Check
security.txt missing Expires field — adding the required expiry per RFC 9116
RFC 9116 requires an `Expires:` field in security.txt. Without it, automated researcher tooling treats the file as malformed. Add an ISO-8601 timestamp one year out and rotate annually.
Real-world risk
Without Expires, security contact files may be cached longer than you intend, leaving stale reporting channels in place after incidents.
Fix steps (in order)
- Add an Expires: field with an RFC 5322 datetime after which clients should refresh security.txt.
- Automate regeneration so Expires always stays ahead of rotations and staffing changes.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (security_txt_no_expires) clears once the externally-observable signal is in place.